After Strava, fitness app Polar exposes location history of soldiers and spies

When the “Run and Cycling Tracking” app Strava started being used by militaries around the world, many military bases had their locations exposed. Now, Bellingcat and De Correspondent report, that’s happening to soldiers’ and spies’ homes too, courtesy the app Polar. Polar openly publishes users’ exercise and cycling routes on the internet unless users set their location history to private. This has led to many route ‘heatmaps’ revealing roads and military installations that are generally classified information. The problem now seems worse than Strava’s, since Bellingcat was able to literally map out a soldier’s deployment history (albeit not the specific times they were at a location) along with his name and home address. All this from heatmaps of his exercise routine.

The service has halted its “Explore” feature and now sets all map data it collects to private by default. These changes came following an August 2017 privacy policy change, per Bellingcat. In response to Strava’s breach earlier, the US military revised its rules on fitness trackers and started requiring soldiers to make their fitness history private. “It is likely other countries will have done so too,” Bellingcat said.

What Polar exposed

According to the researchers, Polar was able to expose:

— Diplomats and soldiers’ exercise routines, including on nuclear facilities
— NSA and CIA employees’ exercise routines
— American and Russian soldiers’ movements in hotspots like the Crimea, Baghdad, and Guantanamo.
— Troops stationed near the 38th Parallel in the Korean DMZ.

The researchers found over 200 sensitive sites, with around 6,500 individuals — everyone from soldiers to a major manufacturing company’s CEO — and glean a significant amount of information about them. Polar currently doesn’t offer a convenient way for users to delete or make private all their public information, which means that sessions need to be deleted individually. For individuals in military installations who exercise every day, that could mean spending a significant amount of time hitting ‘delete’. Even after switching their account to private, past sessions continue to be available publicly. What’s more, many soldiers had their real names and pictures associated with their profiles.

Data collection debate

This revelation is only public because all the data that led to it is public too. Strava and Polar are the rare creatures where all this information — essential to their business — was public by default. And mapped out conveniently on Google Maps at that. But the fact is that these apps are probably not the only players collecting the data they have. Every app from Google to that one train booking app that asked for blanket location permissions to determine whether you’re near train tracks could be mined for valuable data about users.

This is why privacy activists frequently demand the right to object to data collection and the right to know how data is being processed and made available. It’s also why concepts like anonymising data — removing all identifying data associated with a user’s information — are vital aspects to data protection. In India, the Srikrishna Committee will be submitting their report on data protection, which covers these debates, to the government on July 15.